There's a growing trend spreading through many different organizations in which automated and advanced security features are being developed, capabilities which were previously in the realm of more traditional security vendors. There’s now more security in more places than ever before, with much of it owing to infrastructure and software-as-a-service (SaaS) providers. We can use this trend to learn lessons on what we can be doing to add more security everywhere. In my last blog post, I discussed AWS GuardDuty. GuardDuty uses threat intelligence, machine learning and anomaly detection to deliver agent-less security findings across a variety of AWS services. Amazon, which grew from a bookseller to a hosting company, is now giving you the advanced security features to detect hackers in your network or abuse of your resources – all without installing any additional tools or software. This is a completely cloud-native network threat intelligence security solution baked right into your infrastructure. Of course, not to be outdone, Microsoft has quite a few security features built into Azure. Notably, one of the features of Azure Active Directory is the ability to identify risky sign-ins. Using a combination of threat intelligence and user behavior analysis, Azure Active Directory can log, further scrutinize and deny sign-ins which fail a risk policy. This type of intelligence would previously have only been found in yet another installation, software for user and entity behavior analytics. The infrastructure providers have a lot of surface area to cover, but SaaS players can automate a lot for you, as well. One of my favorite examples of this is Github. Github is a software-as-a-service provider of the popular “git” version control system, most commonly used for storing program source code. GitHub provides security alerts for vulnerabilities in source code dependencies and even instructions on how to upgrade to non-vulnerable versions. Library dependency vulnerability scanning previously would have required an additional software package and DevOps integration, and no doubt additional types of security alerts will follow. Additionally, Alphabet Inc., the parent holding company for Google, has just launched a new cyber security company called Chronicle. Chronicle aims to harness the vast amounts of user data, storage and computing capacity available at Google along with the VirusTotal malware intelligence property to “10x the speed and impact of security teams.” Cyber threat intelligence will likely never be the same. A common thread here is the use of large datasets and often crowd-sourced data. Cloud providers have access to a wide range of user data and can add tremendous value by developing security features based on that data. However, they aren’t the only ones with potentially interesting and actionable data. A valuable lesson is to use whatever you have access to, applying security where you can. The Center for Internet Security (CIS) 20 Critical Security Controls can be used as a framework of foundational controls and can be applied to many different types of data. Crowd-sourced web reputation scores or spam and malicious domain blacklists can be integrated with any number of tools. Information exchanges such as Information Sharing and Analysis Centers (ISAC) can provide sector-specific intelligence on cyber threats. If you have access to network data, you can look for suspicious network activity just like the infrastructure providers. If you have access to filesystem data, you can be performing file integrity monitoring and searching for known malware samples. If you’re on the DevOps team, you can be integrating source code analysis and securing the entire DevOps stack. The trend of combining crowd-sourced intelligence and user behavior analytics will continue to grow as more services push into the cloud, but organizations big or small, cloud or not, can implement security enhancements all based on what sorts of data they have access to.
